Skip to content

fix: configmap generation with no-config mode for external secret management #402

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tuunit wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix: configmap generation with no-config mode for external secret management #402

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
39eabb4
fix: configmap generation with `no-config` mode for external secret m…
tuunit Mar 29, 2026
8ece5f7
rework
tuunit Mar 29, 2026
294a381
Merge branch 'main' into fix/configmap-generation
pierluigilenoci Mar 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions helm/oauth2-proxy/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,8 @@ maintainers:
kubeVersion: ">=1.16.0-0"
annotations:
artifacthub.io/changes: |
- kind: changed
description: Bump OAuth2 Proxy image to v7.15.1
- kind: fixed
description: Add back support for running without generated/mounted ConfigMap
links:
- name: GitHub PR
url: https://github.com/oauth2-proxy/manifests/pull/403
url: https://github.com/oauth2-proxy/manifests/pull/402
9 changes: 6 additions & 3 deletions helm/oauth2-proxy/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,10 +152,10 @@ The following table lists the configurable parameters of the oauth2-proxy chart
| `affinity` | node/pod affinities | None |
| `alphaConfig.annotations` | Configmap annotations | `{}` |
| `alphaConfig.configData` | Arbitrary configuration data to append | `{}` |
| `alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""` |
| `alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context. Can be combined with generated alpha content, but not with `alphaConfig.existingConfig` or `alphaConfig.existingSecret` | `""` |
| `alphaConfig.enabled` | Flag to toggle any alpha config-related logic | `false` |
| `alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` |
| `alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` |
| `alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. Mutually exclusive with `alphaConfig.existingSecret` and generated alpha content (`serverConfigData`, `metricsConfigData`, `configData`, `configFile`) | `nil` |
| `alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. Mutually exclusive with `alphaConfig.existingConfig` and generated alpha content (`serverConfigData`, `metricsConfigData`, `configData`, `configFile`) | `nil` |
| `alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` |
| `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` |
| `authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil` |
Expand Down Expand Up @@ -498,7 +498,10 @@ that are already supported by the Alpha Config will need to be removed from the
Keep the following in mind:

- The chart always mounts `/etc/oauth2_proxy/oauth2_proxy.cfg`. (Legacy toml config)
Unless both `alphaConfig.enabled` and `forceLegacyConfig` are set to `false`
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line references forceLegacyConfig without the config. prefix. Since the value is config.forceLegacyConfig, the current wording is ambiguous and could confuse readers; please change it to config.forceLegacyConfig for consistency with the rest of the document.

Suggested change
Unless both `alphaConfig.enabled` and `forceLegacyConfig` are set to `false`
Unless both `alphaConfig.enabled` and `config.forceLegacyConfig` are set to `false`

Copilot uses AI. Check for mistakes.
- Per default `config.forceLegacyConfig` is `true`
- `alphaConfig.existingConfig` and `alphaConfig.existingSecret` are external-source modes.
They cannot be combined with generated alpha content like `configData` or `configFile`.

The evaluation happens in the following order:

Expand Down
23 changes: 23 additions & 0 deletions helm/oauth2-proxy/ci/alphaconfig-7-existing-secret-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Test Case 7: alphaConfig enabled + existingSecret
# Expected: Chart mounts the external alpha Secret instead of generating one.

alphaConfig:
enabled: true
existingSecret: my-external-alpha-secret

extraObjects:
- apiVersion: v1
kind: Secret
metadata:
name: my-external-alpha-secret
type: Opaque
stringData:
oauth2_proxy.yml: |
---
server:
BindAddress: 0.0.0.0:4180
providers:
- id: google
provider: google
clientID: fake-client-id
clientSecret: fake-client-secret
48 changes: 42 additions & 6 deletions helm/oauth2-proxy/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,37 +163,73 @@ metricsServer:
{{- end }}
{{- end -}}

{{- define "oauth2-proxy.alpha-config.source" -}}
{{- if not .Values.alphaConfig.enabled -}}
disabled
{{- else if .Values.alphaConfig.existingConfig -}}
existing-configmap
{{- else if .Values.alphaConfig.existingSecret -}}
existing-secret
{{- else -}}
generated
{{- end -}}
{{- end -}}

{{- define "oauth2-proxy.alpha-config.name" -}}
{{- $source := include "oauth2-proxy.alpha-config.source" . -}}
{{- if eq $source "existing-configmap" -}}
{{- .Values.alphaConfig.existingConfig -}}
{{- else if eq $source "existing-secret" -}}
{{- .Values.alphaConfig.existingSecret -}}
{{- else if eq $source "generated" -}}
{{- printf "%s-alpha" (include "oauth2-proxy.fullname" .) -}}
{{- end -}}
{{- end -}}

{{/*
If `config.forceLegacyConfig=false`, the chart ignores both the `config.configFile` and `config.existingConfig` overrides and only generates a minimal necessary legacy config.
If `config.existingConfig` is set and `config.forceLegacyConfig=true`, the external ConfigMap is mounted into the mounted file.
If `config.configFile` is set and `config.forceLegacyConfig=true`, the chart renders that inline content into the mounted file.
If `config.forceLegacyConfig=false` and `alphaConfig.enabled=false`, the chart renders no config map and does not mount a file.
*/}}
Comment on lines 189 to 194
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The helper doc comment says config.forceLegacyConfig=false “only generates a minimal necessary legacy config”, but the new no-config path means no legacy config is rendered/mounted when alphaConfig.enabled=false and config.forceLegacyConfig=false. Update the comment to reflect the two different behaviors (alphaConfig-enabled vs alphaConfig-disabled).

Copilot uses AI. Check for mistakes.
{{- define "oauth2-proxy.legacy-config.mode" -}}
{{- if and .Values.alphaConfig.enabled (not .Values.config.forceLegacyConfig) -}}
{{- define "oauth2-proxy.legacy-config.source" -}}
{{- if .Values.alphaConfig.enabled -}}
{{- if not .Values.config.forceLegacyConfig -}}
generated-alpha-compatible
{{- else if .Values.config.existingConfig -}}
existing-configmap
{{- else if .Values.config.configFile -}}
inline-custom
{{- else if .Values.alphaConfig.enabled -}}
{{- else -}}
generated-alpha-compatible
{{- end -}}
{{- else if not .Values.config.forceLegacyConfig -}}
no-config
{{- else if .Values.config.existingConfig -}}
Comment on lines +203 to +208
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new no-config legacy-config source (when alphaConfig.enabled=false and config.forceLegacyConfig=false) changes rendered manifests by removing the legacy ConfigMap, --config arg, and volume mounts, but there is no chart-testing install case in helm/oauth2-proxy/ci/ covering this mode. Add a CI values file exercising no-config to prevent regressions (e.g., ensure configmap.yaml is skipped and the Deployment no longer references configmain).

Copilot uses AI. Check for mistakes.
existing-configmap
{{- else if .Values.config.configFile -}}
inline-custom
{{- else -}}
generated-legacy
{{- end -}}
{{- end -}}

{{- define "oauth2-proxy.legacy-config.enabled" -}}
{{- ne (include "oauth2-proxy.legacy-config.source" .) "no-config" -}}
{{- end -}}

{{- define "oauth2-proxy.legacy-config.name" -}}
{{- if eq (include "oauth2-proxy.legacy-config.mode" .) "existing-configmap" -}}
{{- if eq (include "oauth2-proxy.legacy-config.source" .) "existing-configmap" -}}
{{- .Values.config.existingConfig -}}
{{- else -}}
{{- template "oauth2-proxy.fullname" . -}}
{{- end -}}
{{- end -}}

{{- define "oauth2-proxy.legacy-config.content" -}}
{{- if eq (include "oauth2-proxy.legacy-config.mode" .) "inline-custom" -}}
{{- if eq (include "oauth2-proxy.legacy-config.source" .) "inline-custom" -}}
{{- tpl .Values.config.configFile $ -}}
{{- else if eq (include "oauth2-proxy.legacy-config.mode" .) "generated-alpha-compatible" -}}
{{- else if eq (include "oauth2-proxy.legacy-config.source" .) "generated-alpha-compatible" -}}
email_domains = {{ .Values.config.emailDomains | toJson }}
{{- else -}}
email_domains = {{ .Values.config.emailDomains | toJson }}
Expand Down
3 changes: 2 additions & 1 deletion helm/oauth2-proxy/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if ne (include "oauth2-proxy.legacy-config.mode" .) "existing-configmap" }}
{{- $legacySource := include "oauth2-proxy.legacy-config.source" . }}
{{- if not (has $legacySource (list "existing-configmap" "no-config")) }}
apiVersion: v1
kind: ConfigMap
Comment on lines +1 to 4
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description mentions adding a mode label to generated ConfigMaps for debugging, but this template currently only changes the generation condition and does not add any label reflecting $legacySource. Consider adding a label (e.g., legacy-config/source or mode) under metadata.labels when the ConfigMap is rendered so users can identify which legacy config source was used.

Copilot uses AI. Check for mistakes.
metadata:
Expand Down
27 changes: 18 additions & 9 deletions helm/oauth2-proxy/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
{{- $legacySource := include "oauth2-proxy.legacy-config.source" . }}
{{- $legacyConfigEnabled := eq (include "oauth2-proxy.legacy-config.enabled" .) "true" -}}
{{- $alphaConfigSource := include "oauth2-proxy.alpha-config.source" . -}}
{{- $redisEnabled := eq (include "oauth2-proxy.redis.enabled" .) "true" -}}
{{- $redisValues := index .Values "redis-ha" | default dict -}}
apiVersion: apps/v1
Expand Down Expand Up @@ -27,12 +30,14 @@ spec:
template:
metadata:
annotations:
{{- if ne (include "oauth2-proxy.legacy-config.mode" .) "existing-configmap" }}
{{- if and $legacyConfigEnabled (ne $legacySource "existing-configmap") }}
checksum/config: {{ include "oauth2-proxy.legacy-config.content" . | sha256sum }}
{{- end }}
{{- if .Values.alphaConfig.enabled }}
{{- if eq $alphaConfigSource "generated" }}
checksum/alpha-config: {{ include "oauth2-proxy.alpha-config" . | sha256sum }}
{{- end }}
legacy/source: {{ include "oauth2-proxy.legacy-config.source" . }}
alpha/source: {{ include "oauth2-proxy.alpha-config.source" . }}
{{- if .Values.authenticatedEmailsFile.enabled }}
checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }}
{{- end }}
Expand Down Expand Up @@ -145,7 +150,9 @@ spec:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}
{{- if $legacyConfigEnabled }}
- --config=/etc/oauth2_proxy/oauth2_proxy.cfg
{{- end }}
Comment on lines +153 to +155
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New no-config mode changes runtime behavior (skips legacy ConfigMap generation/mount and omits the --config arg), but there is no chart-testing install scenario covering alphaConfig.enabled=false + config.forceLegacyConfig=false. Add a helm/oauth2-proxy/ci/*-values.yaml case to ensure templates render and install correctly for this mode.

Copilot uses AI. Check for mistakes.
{{- if .Values.authenticatedEmailsFile.enabled }}
{{- if .Values.authenticatedEmailsFile.template }}
- --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }}
Expand Down Expand Up @@ -302,10 +309,12 @@ spec:
readOnly: true
{{- end }}
{{- end }}
{{- if $legacyConfigEnabled }}
- mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg
name: configmain
subPath: oauth2_proxy.cfg
{{- if .Values.alphaConfig.enabled }}
{{- end }}
{{- if ne $alphaConfigSource "disabled" }}
- mountPath: /etc/oauth2_proxy/oauth2_proxy.yml
name: configalpha
subPath: oauth2_proxy.yml
Expand Down Expand Up @@ -368,23 +377,23 @@ spec:
name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis
defaultMode: 0775
{{- end }}
{{- if $legacyConfigEnabled }}
- configMap:
defaultMode: 420
name: {{ include "oauth2-proxy.legacy-config.name" . | trim }}
name: configmain
{{- if .Values.alphaConfig.enabled }}
{{- if .Values.alphaConfig.existingConfig }}
{{- end }}
{{- if eq $alphaConfigSource "existing-configmap" }}
- configMap:
defaultMode: 420
name: {{ .Values.alphaConfig.existingConfig }}
name: {{ include "oauth2-proxy.alpha-config.name" . }}
name: configalpha
{{- else }}
{{- else if or (eq $alphaConfigSource "existing-secret") (eq $alphaConfigSource "generated") }}
- secret:
defaultMode: 420
secretName: {{ if .Values.alphaConfig.existingSecret }}{{ .Values.alphaConfig.existingSecret }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }}
secretName: {{ include "oauth2-proxy.alpha-config.name" . }}
name: configalpha
{{- end }}
{{- end }}
{{- if ne (len .Values.extraVolumes) 0 }}
{{ tpl (toYaml .Values.extraVolumes) . | indent 6 }}
{{- end }}
Expand Down
6 changes: 6 additions & 0 deletions helm/oauth2-proxy/templates/deprecation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,12 @@
{{- if .Values.service.port }}
{{ fail "`service.port` does no longer exist. It has been renamed to `service.portNumber`" }}
{{- end }}
{{- if and .Values.alphaConfig.enabled .Values.alphaConfig.existingConfig .Values.alphaConfig.existingSecret }}
{{ fail "`alphaConfig.existingConfig` and `alphaConfig.existingSecret` are mutually exclusive. Configure exactly one external alpha config source." }}
{{- end }}
{{- if and .Values.alphaConfig.enabled (or .Values.alphaConfig.existingConfig .Values.alphaConfig.existingSecret) (or .Values.alphaConfig.serverConfigData .Values.alphaConfig.metricsConfigData .Values.alphaConfig.configData .Values.alphaConfig.configFile) }}
{{ fail "External alpha config sources (`alphaConfig.existingConfig` or `alphaConfig.existingSecret`) cannot be combined with generated alpha config content (`serverConfigData`, `metricsConfigData`, `configData`, or `configFile`). Choose one alpha config source." }}
{{- end }}
{{- if eq ( include "capabilities.ingress.apiVersion" . ) "networking.k8s.io/v1" -}}
{{- range .Values.ingress.extraPaths }}
{{- if or (.backend.serviceName) (.backend.servicePort) }}
Expand Down
9 changes: 2 additions & 7 deletions helm/oauth2-proxy/templates/secret-alpha.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,4 @@
{{-
if and
.Values.alphaConfig.enabled
(not .Values.alphaConfig.existingConfig)
(not .Values.alphaConfig.existingSecret)
}}
{{- if eq (include "oauth2-proxy.alpha-config.source" .) "generated" }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -14,7 +9,7 @@ metadata:
labels:
app: {{ template "oauth2-proxy.name" . }}
{{- include "oauth2-proxy.labels" . | indent 4 }}
name: {{ template "oauth2-proxy.fullname" . }}-alpha
name: {{ include "oauth2-proxy.alpha-config.name" . }}
namespace: {{ template "oauth2-proxy.namespace" $ }}
data:
oauth2_proxy.yml: {{ include "oauth2-proxy.alpha-config" . | b64enc | quote }}
Expand Down
14 changes: 12 additions & 2 deletions helm/oauth2-proxy/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ config:
# generates a minimal legacy config from emailDomains only.
# 3. If configFile is empty/not set, the config is auto-generated
# from emailDomains and, when alphaConfig is disabled, upstreams.
# 4. When alphaConfig.enabled=false and forceLegacyConfig=false
# no ConfigMap is generated and mounted
configFile: ""
# Email domains allowed to authenticate when the chart generates
# the main oauth2_proxy.cfg.
Expand Down Expand Up @@ -109,6 +111,8 @@ config:
# instead (see examples below).
# - Move any other relevant settings into alphaConfig and/or
# flags rather than relying on a custom legacy configFile.
# 3) If forceLegacyConfig and alphaConfig.enabled are false
# no ConfigMap is being mounted.
forceLegacyConfig: true
#
# Custom configuration file: oauth2_proxy.cfg (overrides
Expand Down Expand Up @@ -164,10 +168,16 @@ alphaConfig:
#
# Arbitrary configuration to append
# This is treated as a Go template and rendered with the root context
# This may be combined with configData/serverConfigData/metricsConfigData
# when the chart generates the alpha config itself.
configFile: ""
# Use an existing config map (see secret-alpha.yaml for required fields)
# Use an existing config map (see secret-alpha.yaml for required fields).
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment for alphaConfig.existingConfig points to secret-alpha.yaml for required fields, but that template defines a Secret (base64-encoded data:), not a ConfigMap. This is misleading for users providing an external ConfigMap; consider documenting the required key directly (e.g., data.oauth2_proxy.yml) or referencing a ConfigMap-specific example/template instead.

Suggested change
# Use an existing config map (see secret-alpha.yaml for required fields).
# Use an existing ConfigMap containing the alpha config file (for example,
# with a key like `oauth2_proxy.yml` under `.data`).

Copilot uses AI. Check for mistakes.
# Mutually exclusive with existingSecret and all generated alpha config
# content options above.
existingConfig: ~
# Use an existing secret
# Use an existing secret.
# Mutually exclusive with existingConfig and all generated alpha config
# content options above.
existingSecret: ~
#
# NOTE: When using alphaConfig with external secrets (e.g., Azure
Expand Down
Loading